b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n  ADMINISTRATIVE COSTS CLAIMED\n     BY THE UTAH DISABILITY\n    DETERMINATION SERVICES\n\n     March 2009   A-07-09-19005\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nBy conducting independent and objective audits, evaluations and investigations,\nwe inspire public confidence in the integrity and security of SSA\xe2\x80\x99s programs and\noperations and protect them against fraud, waste and abuse. We provide timely,\nuseful and reliable information and advice to Administration officials, Congress\nand the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\x81\xad Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\x81\xad Promote economy, effectiveness, and efficiency within the agency.\n  \xef\x81\xad Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\x81\xad Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\x81\xad Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xef\x81\xad Independence to determine what reviews to perform.\n  \xef\x81\xad Access to all information necessary for the reviews.\n  \xef\x81\xad Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nWe strive for continual improvement in SSA\xe2\x80\x99s programs, operations and\nmanagement by proactively seeking new ways to prevent and deter fraud, waste\nand abuse. We commit to integrity and excellence by supporting an environment\nthat provides a valuable public service while encouraging employee development\nand retention and fostering diversity and innovation.\n\x0c                                           SOCIAL SECURITY\nMEMORANDUM\n\nDate:      March 30, 2009                                                                    Refer To:\n\nTo:        Martha Lambie\n           Acting Regional Commissioner\n            Denver\n\nFrom:      Inspector General\n\nSubject:   Administrative Costs Claimed by the Utah Disability Determination Services\n           (A-07-09-19005)\n\n\n           OBJECTIVE\n\n           Our objectives were to evaluate the Utah Disability Determination Services\xe2\x80\x99 (UT-DDS)\n           internal controls over the accounting and reporting of administrative costs, determine\n           whether costs claimed by the UT-DDS were allowable and properly allocated and funds\n           were properly drawn, and assess limited areas of the general security controls\n           environment. Our audit included the administrative costs claimed by the UT-DDS\n           during Federal Fiscal Years (FY) 2006 and 2007.\n\n           BACKGROUND\n           The Disability Insurance (DI) program, established under Title II of the Social Security\n           Act (Act), provides benefits to wage earners and their families in the event the wage\n           earner becomes disabled. The Supplemental Security Income (SSI) program,\n           established under Title XVI of the Act, provides benefits to financially needy individuals\n           who are aged, blind, and/or disabled.\n\n           The Social Security Administration (SSA) is responsible for implementing policies for\n           the development of disability claims under the DI and SSI programs. Disability\n           determinations under both DI and SSI are performed by disability determination\n           services (DDS) in each State and other responsible jurisdictions. Such determinations\n           are required to be performed in accordance with Federal law and underlying\n           regulations. 1 In carrying out its obligation, each DDS is responsible for determining\n           claimants\xe2\x80\x99 disabilities and ensuring adequate evidence is available to support its\n\n\n\n           1\n            Social Security Act \xc2\xa7\xc2\xa7 221 and 1614, 42 U.S.C. \xc2\xa7\xc2\xa7 421 and 1382c; see also 20 C.F.R. \xc2\xa7\xc2\xa7 404.1601 et\n           seq. and 416.1001 et seq.\n\x0cPage 2 \xe2\x80\x93 Martha Lambie\n\ndeterminations. To assist in making proper disability determinations, each DDS is\nauthorized to purchase medical examinations, X rays, and laboratory tests on a\nconsultative basis to supplement evidence obtained from the claimants\xe2\x80\x99 physicians or\nother treating sources.\n\nSSA reimburses the DDS for 100 percent of allowable reported expenditures up to its\napproved funding authorization. The DDS withdraws Federal funds through the\nDepartment of the Treasury\xe2\x80\x99s (Treasury) Automated Standard Application for Payments\nsystem to pay for program expenditures. Funds drawn down must comply with Federal\n           2\nregulations and intergovernmental agreements entered into by Treasury and States\nunder the Cash Management Improvement Act of 1990. 3\n\nAn advance or reimbursement for costs under the program must comply with Office of\nManagement and Budget Circular A-87, Cost Principles for State, Local, and Indian\nTribal Governments. At the end of each quarter of the FY, each DDS is required to\nsubmit a State Agency Report of Obligations for SSA Disability Programs (SSA-4513)\n                                                                   4\nto account for program disbursements and unliquidated obligations. The SSA-4513\nreports expenditures and unliquidated obligations for Personnel Service Costs, Medical\nCosts, Indirect Costs, and All Other Nonpersonnel Costs. 5\n\nThe Utah State Office of Rehabilitation is the UT-DDS\xe2\x80\x99 parent agency. The UT-DDS is\nlocated in Salt Lake City, Utah.\n\nRESULTS OF REVIEW\n\nOur evaluation of the UT-DDS\xe2\x80\x99 controls over the accounting and reporting of\nadministrative costs disclosed that improvements were needed in the Medical Cost\nprocess. Specifically, the UT-DDS made duplicate payments for consultative\nexaminations (CE) and medical evidence of record (MER), reimbursed CE providers at\na rate that exceeded the maximum rate allowed under Federal regulations, did not\nfollow its established criteria for incentive payments to CE providers, and needed to\nimprove its controls over the CE provider sanction process. Other costs claimed by the\nUT-DDS during our audit period were allowable, properly allocated, and funds were\nproperly drawn.\n\n\n\n\n2\n    31 C.F.R. \xc2\xa7 205.1 et seq.\n3\n    Pub. L. No. 101-453, 104 Stat. 1058, in part amending 31 U.S.C. \xc2\xa7\xc2\xa7 3335, 6501, and 6503.\n4\n SSA, POMS, DI 39506.201 and 202. POMS, DI 39506.200 B.4 provides, in part, that \xe2\x80\x9cUnliquidated\nobligations represent obligations for which payment has not yet been made. Unpaid obligations are\nconsidered unliquidated whether or not the goods or services have been received.\xe2\x80\x9d\n5\n    SSA, POMS, DI 39506.201 and 202.\n\x0cPage 3 \xe2\x80\x93 Martha Lambie\n\nRegarding general security controls, we found the UT-DDS needed to improve its\ncomputer inventory controls. We also found the UT-DDS\xe2\x80\x99 security plan was incomplete,\ndisaster recovery plan (DRP) had not been tested, spare office key management lacked\ncontrols, and computer system back-up data were not stored off-site.\n\nDUPLICATE MEDICAL PAYMENTS\n\nDuring our audit period, the UT-DDS made duplicate CE and MER payments totaling\n$6,280. Federal regulations provide that SSA \xe2\x80\x9c\xe2\x80\xa6will give the State funds\xe2\x80\xa6for\n                                                         6\nnecessary costs in making disability determinations\xe2\x80\xa6.\xe2\x80\x9d Duplicate payments do not\nrepresent a necessary cost. According to the UT-DDS, the duplicate payments may\nhave occurred because invoice payment authorizations were cancelled and\nsubsequently reauthorized for payment without the UT-DDS first verifying a payment\nhad been made. For example, if a vendor contacts the UT-DDS alleging nonpayment\nof an invoice, the UT-DDS can cancel the original authorization and reauthorize the\ninvoice for payment. If the original invoice was paid, a duplicate payment could result.\nWe recommend SSA instruct the UT-DDS to refund $6,280 in duplicate payments and\nestablish procedures that prevent future duplicate medical payments.\n\nEXCESSIVE CE COSTS\n\nDuring FY 2006, the UT-DDS spent $4,248 in excessive CE fees. The excessive fees\noccurred because the UT-DDS reimbursed medical providers at a payment rate that\nexceeded the maximum rate paid by Federal or other agencies in the State for one type\nof CE. Specifically, for lumbar spine X rays the UT-DDS\xe2\x80\x99 rate of payment exceeded the\nrate paid by the Utah State Office of Rehabilitation.\n\n                                          HIGHEST     NUMBER OF EXAMS\n                            AMOUNT                                           EXCESS\n             CE                           ALLOWAB      PURCHASED IN FY\n                            DDS PAID                                          FEES\n                                           LE FEE           2006\n        Lumbar Spine\n                               $90              $54         118               $4,248\n           X ray\n\n\nFederal regulations require that each State determine the payment rates for medical or\nother services necessary to make determinations of disability. The rates may not\nexceed the highest rate paid by Federal or other agencies in the State for the same or\nsimilar types of service. 7 Further, the State is responsible for monitoring the rates of\npayment for medical and other services to ensure the rates do not exceed the highest\nrate paid by Federal or other agencies in the State. 8 We recommend SSA determine\nwhether it was necessary for the UT-DDS to exceed the highest allowable fee to obtain\n\n6\n    20 C.F.R. \xc2\xa7\xc2\xa7 404.1626(a) and 416.1026(a).\n7\n    20 C.F.R. \xc2\xa7\xc2\xa7 404.1624 and 416.1024.\n8\n    SSA, POMS, DI 39545.600 D.\n\x0cPage 4 \xe2\x80\x93 Martha Lambie\n\nlumbar spine X rays. If SSA determines it was not necessary for the UT-DDS to exceed\nthe highest allowable rate of payment, it should take appropriate action, such as\ninstructing the UT-DDS to refund the excess CE payments and limiting future CE rates\nof payment to the highest allowable fee.\n\nINCENTIVE PAYMENTS\n\nDuring our audit period, the UT-DDS made incentive payments to CE providers that\nwere not in accordance with its own policy. SSA policy states that medical provider\ncontracts should require time standards for the receipt of reports, including incentive\n             9\nprovisions. According to UT-DDS policy, an incentive payment of $20 is made to CE\nproviders if the CE report was received within 10 days of the date of the CE. 10 For 18\nof the 47 incentive payments we reviewed, the CE report was not received within\n10 days. 11 Therefore, the UT-DDS\xe2\x80\x99 failure to follow its policy resulted in improper\nincentive payments. We recommend SSA remind the UT-DDS to follow its established\npolicy for incentive payments.\n\nSANCTION LISTING\n\nThe UT-DDS did not review the Health and Human Services, Office of Inspector\nGeneral (HHS/OIG) List of Excluded Individuals/Entities (LEIE) to ensure CE providers\nit intended to use were not barred from participation in any Federal or federally assisted\nprogram. The UT-DDS is at-risk of contracting with CE providers whose services have\nbeen sanctioned by other Federal agencies if it does not review the HHS/OIG sanction\nlisting. SSA policy indicates that a qualified medical source must not be barred from\nparticipation in Federal programs. 12 Also, underlying SSA procedures require that,\nbefore using the services of any CE provider, DDSs must review the LEIE for each CE\nprovider and then at least annually. 13\n\nThe UT-DDS stated it was unaware of the requirement to review the HHS/OIG sanction\nlisting. Since learning of this requirement, the UT-DDS stated it will begin using the\nHHS/OIG sanction listing. We recommend SSA instruct the UT-DDS to review the\nHHS/OIG sanction listing to verify current CE providers are not sanctioned from\nparticipation in any Federal or federally assisted program. We also recommend SSA\ninstruct the UT-DDS to review the HHS/OIG sanction listing as part of its CE provider\nbackground check process.\n\n\n9\n    SSA, POMS, DI 39542.205 C.2.c.\n10\n     During FYs 2006 and 2007, the UT-DDS made incentive payments totaling approximately $240,000.\n11\n  In FY 2006, we found that 8 out of 21 incentive payments made to CE providers were for untimely\nreports. For FY 2007, we found that 10 out of 26 incentive payments were for untimely reports.\n12\n     SSA, POMS, DI 39569.300 A.\n13\n     SSA, POMS, DI 39569.300 B.1 and 2.\n\x0cPage 5 \xe2\x80\x93 Martha Lambie\n\nINVENTORY CONTROLS\n\nThe UT-DDS did not maintain accurate and complete inventory records of computer\nequipment. Specifically, SSA-purchased computer equipment was not included in the\nofficial State inventory listing, and three surplus laptop computers were not listed in the\nState surplus equipment system. Not maintaining adequate inventory records hinders\ndetection of stolen or misplaced equipment. SSA policy requires that all sensitive\n                              14, 15\nequipment be inventoried,            and SSA\xe2\x80\x99s definition of sensitive equipment includes\ncomputers. 16 The UT-DDS did not record SSA-purchased computer equipment in the\nofficial State inventory system because, according to State policy, anything with a\npurchase value of less than $5,000 did not have to be on the fixed-asset inventory. We\nrecommend SSA instruct the UT-DDS to work with its parent agency to ensure the\nSSA-purchased computer equipment is tracked with an inventory system that complies\nwith the policies of SSA.\n\nINCOMPLETE SECURITY PLAN\n\nThe UT-DDS\xe2\x80\x99 security plan did not adhere to SSA\xe2\x80\x99s policy requiring an eight-part\nsecurity plan, with each part containing specific information. 17 Because SSA\xe2\x80\x99s policy for\nan eight-part security plan was not followed, essential information was missing from the\nUT-DDS\xe2\x80\x99 security plan.\n\nSpecifically, the UT-DDS security plan was missing\n\n1. a schedule on how new employees and contractors are trained;\n\n2. instructions for the comprehensive integrity review process;\n\n3. a description of SSA and UT-DDS responsibilities and a description of workload and\n   workflow of the UT-DDS;\n\n4. documented local resources needed to operate the UT-DDS in the event of a\n   disaster; and\n\n5. documented procedures for its review of the software lists/logs created from\n   monitoring UT-DDS users.\n\n\n\n\n14\n     SSA AIMS Guide, MRM 04.04.04.\n15\n     20 C.F.R. \xc2\xa7\xc2\xa7 404.1628 and 416.1028.\n16\n     SSA AIMS Guide, MRM 04.01.03.\n17\n     SSA, POMS, DI 39567.160 A and B.\n\x0cPage 6 \xe2\x80\x93 Martha Lambie\n\nBecause the security plan is incomplete, there is a risk that critical business processes\nare not protected or will not recover timely in the event of a disaster. A delay in creating\na complete security plan could result in a longer recovery period following a\ncatastrophic event. The UT-DDS stated it was unaware of SSA\xe2\x80\x99s security plan\nrequirements. We recommend SSA work with the UT-DDS to ensure a security plan\nmeeting SSA requirements is completed timely.\n\nDISASTER RECOVERY PLAN NOT TESTED\n                                                                18\nThe UT-DDS\xe2\x80\x99 DRP was not tested as set forth in SSA policy. The DRP documents\nDDS data and personnel information involved in restoring system operations that are\nvital to disaster recovery. As a result of not testing the DRP, there was a risk that\ncritical business processes were not protected or would not recover timely in the event\nof a disaster. The UT-DDS did not have policies in place to ensure the testing of the\nDRP. The UT-DDS\xe2\x80\x99 delay in testing the DRP could result in a longer recovery period\nfollowing a catastrophic event. We recommend SSA work with the UT-DDS to ensure\nthe DRP is tested timely.\n\nKEY MANAGEMENT\n\nThe UT-DDS did not have a system to log spare office keys. In fact, the keys were kept\nin an unlocked drawer. Stolen or misplaced office keys could go undetected without\nadequate internal controls over office keys. This also creates a risk of unauthorized\naccess to sensitive SSA information and systems and the interruption of service if the\nsystems are compromised. SSA policy states that office keys should be logged to\ncontrol their distribution. 19 The UT-DDS Security Officer stated he was not aware of the\nrequirement. We recommend SSA instruct the UT-DDS to maintain a log of all spare\noffice keys.\n\nBACK-UP FILES\n\nBack-up data from the UT-DDS\xe2\x80\x99 computer system were not stored off-site. Although\nthe UT-DDS had taken precautions to store the back-up tapes in a fireproof container,\nthere remained a risk that the back-up data may be destroyed or be inaccessible under\ncertain conditions.\n\n\n\n\n18\n     SSA, POMS, DI 39567.195 C.\n19\n     SSA, POMS, DI 39567.040 A.\n\x0cPage 7 \xe2\x80\x93 Martha Lambie\n\nSSA security guidelines highly recommend that a copy of back-up data files be stored\n         20\noff-site. UT-DDS personnel stated that because they do not have encryption software\nto back up of the computer system\xe2\x80\x99s data, they would prefer not to move these tapes\noff-site. However, additional DDS security guidelines permit the use of password\nprotection to safeguard back-up media if encryption is not possible. 21 We recommend\nthe UT-DDS work with SSA to determine whether it is feasible to encrypt or password-\nprotect the back-up tapes for off-site storage. If the DDS is unable to encrypt or\npassword-protect the back-up tapes, the regional office should ensure the back-up\ntapes are adequately protected while on-site at the UT-DDS.\n\nCONCLUSION AND RECOMMENDATIONS\nOur evaluation of the UT-DDS\xe2\x80\x99 controls over the accounting and reporting of\nadministrative costs disclosed that improvements were needed in the Medical Cost\nprocess. Specifically, the UT-DDS made duplicate payments for CE and MER,\nreimbursed CE providers at a rate that exceeded the maximum rate allowed under\nFederal regulations, did not follow its established criteria for incentive payments to CE\nproviders, and needed to improve its controls over the CE provider sanction process.\nOther costs claimed by the UT-DDS during our audit period were allowable, properly\nallocated, and funds were properly drawn.\n\nRegarding general security controls, we found the UT-DDS needed to improve its\ncomputer inventory controls. We also found the UT-DDS\xe2\x80\x99 security plan was incomplete,\nDRP had not been tested, spare office key management lacked controls, and computer\nsystem back-up data were not stored off-site.\n\nWe recommend the SSA Acting Regional Commissioner:\n\n1. Instruct the UT-DDS to refund $6,280 in duplicate payments and establish\n   procedures that prevent future duplicate medical payments.\n\n2. Determine whether it was necessary for the UT-DDS to exceed the highest\n   allowable fee to obtain lumbar spine X rays. If SSA determines it was not necessary\n   for the UT-DDS to exceed the highest allowable rate of payment, it should take\n   appropriate action, such as instructing the UT-DDS to refund the excess CE\n   payments and limiting future CE rates of payment to the highest allowable fee.\n\n3. Remind the UT-DDS to follow its established policy for incentive payments.\n\n4. Instruct the UT-DDS to review the HHS/OIG sanction listing (a) to verify current CE\n   providers are not barred from participation in any Federal or federally assisted\n   program and (b) as part of its CE provider background check process.\n\n\n20\n     SSA, POMS, DI 39567.195 B.\n21\n     SSA, POMS, DI 39567.240.\n\x0cPage 8 \xe2\x80\x93 Martha Lambie\n\n5. Instruct the UT-DDS to work with its parent agency to ensure the SSA-purchased\n   computer equipment is tracked with an inventory system that complies with the\n   policies of SSA.\n\n6. Work with the UT-DDS to ensure (a) a security plan meeting SSA requirements is\n   completed timely and (b) the DRP is tested timely.\n\n7. Instruct the UT-DDS to maintain a log of all spare office keys.\n\n8. Work with the UT-DDS to determine whether it is feasible to encrypt or password-\n   protect the back-up tapes for off-site storage. If the UT-DDS is unable to encrypt or\n   password-protect the back-up tapes, SSA should ensure the back-up tapes are\n   adequately protected while on-site at the UT-DDS.\n\nAGENCY COMMENTS\n\nSSA and the UT-DDS agreed with our recommendations. See Appendices C and D,\nrespectively, for the full text of SSA and UT-DDS\xe2\x80\x99 comments.\n\nOTHER MATTER\nPersonally Identifiable Information\n\nThe UT-DDS routinely disclosed disability claimants\xe2\x80\x99 personally identifiable information\n(PII) to vendors. The UT-DDS processes over 14,000 disability determinations each\nFY. During the disability determination process, the UT-DDS purchases services\nincluding CE, MER and claimant travel. Our review of medical and applicant travel\ninvoices revealed these documents contained PII including name, address, date of\nbirth, and Social Security number (SSN). Although we have no reason to believe this\ninformation was abused, this practice could result in abuse of claimant\xe2\x80\x99s PII.\n\nFederal guidance dictates that agencies should reduce their current holdings of all PII\nto the minimum necessary for the proper performance of a documented agency\nfunction. 22 Agencies must also review their use of SSNs in agency systems and\n                                                                                     23\nprograms to identify instances in which collection or use of the SSN is superfluous.\n\n\n\n\n22\n  Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to\nthe Breach of Personally Identifiable Information, Attachment 1 \xc2\xa7 B.1.a (page 2) indicates a few simple\nand cost-effective steps to reduce the risks related to a data breach of PII, such as limiting access to only\nthose individuals who must have such access. Access is defined as the ability or opportunity to gain\nknowledge of PII.\n23\n  Office of Management and Budget Memorandum M-07-16, Safeguarding Against and Responding to\nthe Breach of Personally Identifiable Information, Attachment 1 \xc2\xa7 B.2.a.\n\x0cPage 9 \xe2\x80\x93 Martha Lambie\n\nOn October 5, 2007, SSA\xe2\x80\x99s Office of Disability Determinations informed regional offices\nthat DDS\xe2\x80\x99 should review their processes to eliminate the use of the SSNs on\ncorrespondence where possible. Given the prevalence of identity theft, we encourage\nthe Utah State Office of Rehabilitation and UT-DDS to take steps to limit the disclosure\nof PII (in particular, redact or truncate claimants\xe2\x80\x99 SSNs) in all third-party\ncorrespondence.\n\n\n\n\n                                               Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\nAPPENDIX B \xe2\x80\x93 Scope and Methodology\nAPPENDIX C \xe2\x80\x93 Agency Comments\nAPPENDIX D \xe2\x80\x93 State Agency Comments\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                               Appendix A\n\nAcronyms\nAct           Social Security Act\nAIMS          Administrative Instructions Manual System\nCE            Consultative Examination\nC.F.R.        Code of Federal Regulations\nDDS           Disability Determination Services\nDI            Disability Insurance\nDRP           Disaster Recovery Plan\nFY            Fiscal Year\nHHS           Health and Human Services\nLEIE          List of Excluded Individuals/Entities\nMER           Medical Evidence of Record\nMRM           Materiel Resources Manual\nOIG           Office of the Inspector General\nPII           Personally Identifiable Information\nPOMS          Program Operations Manual System\nPub. L. No.   Public Law Number\nSSA           Social Security Administration\nSSA-4513      State Agency Report of Obligations for SSA Disability Programs\nSSI           Supplemental Security Income\nSSN           Social Security Number\nTreasury      Department of the Treasury\nU.S.C.        United States Code\nUT-DDS        Utah Disability Determination Services\n\x0c                                                                     Appendix B\n\nScope and Methodology\nSCOPE\nTo achieve our objective, we:\n\n   \xe2\x80\xa2   Reviewed applicable Federal laws and regulations, pertinent parts of the Social\n       Security Administration\xe2\x80\x99s (SSA) Program Operations Manual System and other\n       criteria relevant to administrative costs claimed by the Utah Disability\n       Determination Services (UT-DDS), and the draw down of SSA program\n       appropriations.\n\n   \xe2\x80\xa2   Interviewed staff at the Utah State Office of Rehabilitation and the UT-DDS.\n\n   \xe2\x80\xa2   Reviewed State policies and procedures related to personnel, medical services,\n       and all other nonpersonnel costs.\n\n   \xe2\x80\xa2   Evaluated, tested, and documented internal controls regarding accounting,\n       financial reporting, and cash management activities.\n\n   \xe2\x80\xa2   Reconciled State accounting records to the administrative costs reported by the\n       UT-DDS on the State Agency Report of Obligations for SSA Disability Programs\n       (SSA-4513) for Federal Fiscal Years (FY) 2006 and 2007.\n\n   \xe2\x80\xa2   Examined specific administrative expenditures (Personnel, Medical Services,\n       and All Other Nonpersonnel Costs) incurred and claimed by the UT-DDS for\n       FYs 2006 and 2007 on the SSA-4513. We used statistical sampling to select\n       expenditures to test for support of the Medical Service and All Other\n       Nonpersonnel Costs, as discussed below.\n\n   \xe2\x80\xa2   Examined the indirect costs claimed by UT-DDS for FYs 2006 and 2007.\n\n   \xe2\x80\xa2   Compared the amount of SSA funds drawn to support program operations to the\n       expenditures reported on the SSA-4513.\n\n   \xe2\x80\xa2   Determined whether selected funds from cancelled warrants were properly\n       returned to SSA.\n\n   \xe2\x80\xa2   Determined whether unliquidated obligations were properly supported.\n\n\n\n\n                                          B-1\n\x0c   \xe2\x80\xa2   Reviewed the UT-DDS\xe2\x80\x99 general security control.\n\n   \xe2\x80\xa2   Reviewed Office of Management and Budget guidance related to safeguarding\n       personally identifiable information.\n\nWe determined the data provided by the State Office of Rehabilitation and UT-DDS\nused in our audit were sufficiently reliable to achieve our audit objectives. We\nassessed the reliability of the data by reconciling them with the costs claimed on the\nSSA-4513. We also conducted detailed audit testing on selected data elements in the\nelectronic data files.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. We conducted fieldwork from March through October 2008.\n\nMETHODOLOGY\n\nSAMPLING METHODOLOGY\n\nThe sampling methodology encompassed the four general areas of costs reported on\nthe SSA-4513: (1) Personnel, (2) Medical, (3) Indirect, and (4) All Other Nonpersonnel\nCosts. We obtained a data extract of all costs and the associated invoices for\nFYs 2006 and 2007 for use in statistical sampling. This was obtained from the\naccounting systems used in the preparation of the SSA-4513.\n\nPersonnel Costs\n\nWe randomly selected one pay period, with a pay period end date of October 20, 2006,\nfor review. We then selected a random sample of 50 regular employees for review and\ntesting of the payroll records. For medical consultant costs, we also selected the pay\nperiod end date of October 20, 2006, for review. We then selected all 18 medical\nconsultants for review and testing of the payroll records.\n\nMedical Costs\n\nWe sampled 100 items (50 items from each of FYs 2006 and 2007) using a stratified\nrandom sample of medical costs based on the proportion of medical evidence of record\nand consultative examination costs to the total medical costs claimed.\n\n\n\n\n                                          B-2\n\x0cIndirect Costs\n\nUT-DDS indirect costs are computed by applying a federally approved rate to a cost\nbase. 1 This methodology was approved by the U.S. Department of Education, which is\nthe Federal agency designated to negotiate and approve the indirect cost rate. On the\nfinal SSA-4513s, the UT-DDS claimed indirect costs of $572,380 for FY 2006 and\n$640,195 for FY 2007. We reviewed the FY 2006 and 2007 indirect cost calculations to\nensure the correct rate was applied.\n\nAll Other Nonpersonnel Costs\n\nWe sampled 105 items (53 expenditures from FY 2006 and 52 from FY 2007) using a\nstratified random sample. The random sample was based on the proportion of costs in\neach of the cost categories to the total costs claimed.\n\n\n\n\n1\n    Total direct salaries, wages, and fringe benefits.\n\n\n                                                         B-3\n\x0c                  Appendix C\n\nAgency Comments\n\x0cWed Mar 18, 2009\n\nSigned Formal Draft Report (A-07-09-19005) - Denver\'s Reply\n\n\n\n       Patrick,\n       Thank you for the opportunity to review the draft report, \xe2\x80\x9cAdministrative Costs\n       Claimed by the Utah Disability Determination Services\xe2\x80\x9d (A-07-09-19005)\n       #22008026. The Utah DDS has responded to the specific recommendations, a\n       copy of which is attached. The Social Security Administration (Denver Regional\n       Office) is establishing timelines to ensure all actions are completed. Following\n       are our comments on the specific findings:\n\n       1. Instruct the UT-DDS to refund $6,280 in duplicate payments and establish\n       procedures that prevent future duplicate medical payments.\n\n       Comment: The DDS has already taken steps to prevent this situation from\n       happening in the future, as outlined in the attached response from Utah. The\n       DDS is planning on refunding this amount by using the ASAP system and filing\n       corrected forms SSA-4513 for the fiscal years involved. We require additional\n       information from the auditors on how the amount requested should be divided\n       between Fiscal Years 2006 and 2007. This information should be added to the\n       OIG report.\n\n       2. Determine whether it was necessary for the UT-DDS to exceed the highest\n       allowable fee to obtain lumbar spine x-rays. If SSA determines it was not\n       necessary for the UT-DDS to exceed the highest allowable rate of payment, it\n       should take appropriate action, such as instructing the UT-DDS to refund the\n       excess CE payments and limiting future CE rates of payment to the highest\n       allowable fee.\n\n       Comment: We support the actions of the Utah DDS regarding these fees. The\n       Utah DDS CE Fee Schedule was reviewed and approved by Social Security.\n       Our regional office fiscal analyst approved the fees charged for lumbar spine\n       X-rays as being necessary; the DDS should not be asked to refund the amount\n       recommended in the audit. In the future, the Utah DDS will use the fee\n       schedules of the Utah State Office of Rehabilitation and the Utah Department of\n       Health & Workforce Services. Use of these schedules will limit future CE rates\n       to the highest allowable fee. Since the questionable costs were based on fee\n       schedules approved by Social Security, refund of the $4,248 is not being\n       requested.\n\n\n\n\n                                                 C-1\n\x0c3. Remind the UT-DDS to follow its established policy for incentive payments.\n\nComment: Completed; Utah DDS reminded of the importance of following\nestablished policy.\n\n4. Instruct the UT-DDS to review the HHS/OIG sanction listing (a) to verify\ncurrent CE providers are not barred from participation in any Federal or federally\nassisted program and (b) as part of its CE provider background check process.\n\nComment: the Utah DDS has begun reviewing sanction listings when evaluating\nprospective CE providers. The Social Security Administration (Denver Regional\nOffice) will work with the Utah DDS to ensure current CE providers are not on the\nsanction list. The Denver Regional Office will control for completion.\n\n5. Instruct the UT-DDS to work with its parent agency to ensure the SSA-\npurchased computer equipment is tracked with an inventory system that\ncomplies with the policies of SSA.\n\nComment: The Utah DDS will include SSA purchased equipment, including\nequipment currently in the DDS, in the Parent Agency inventory system. The\nDenver Regional Office will control to ensure completion.\n\n6. Work with the UT-DDS to ensure (a) a security plan meeting SSA\nrequirements is completed timely and (b) the DRP is tested timely.\n\nComment: The Utah DDS is revising their Security Plan to meet SSA\nrequirements and will perform appropriate tests. Please refer to Utah\'s response\nfor specific features that will be included in the revised plan. The Denver\nRegional Office will control for completion.\n\n7. Instruct the UT-DDS to maintain a log of all spare office keys.\n\nComment: The Utah DDS is now logging spare keys and housing those in a\nlocked drawer.\n\n8. Work with the UT-DDS to determine whether it is feasible to encrypt or\npassword protect the back-up tapes for off-site storage. If the DDS is unable to\nencrypt or password-protect the back-up tapes, SSA should ensure the back-up\ntapes are adequately protected while on-site at the UT-DDS.\n\nComment: The Utah DDS is working with SSA to encrypt or password protect\nthese tapes. The Denver Regional Office will control for completion.\n\n\n\n\n                                    C-2\n\x0c9. Other Matter: "[W]e encourage the Utah State Office of Rehabilitation and\nUT-DDS to take steps to limit the disclosure of PII (in particular, redact or\ntruncate claimants\xe2\x80\x99 SSNs) in all third-party correspondence."\n\nComment: Social Security will work with the Utah DDS to reduce their current\nholdings of PII to the minimum necessary for the proper performance of a\ndocumented agency function.\nPlease let me know if you need additional information. Staff questions may be\ndirected to Susan Neitzert, Center for Disability, at (303) 844-7100.\nMartha Lambie\nActing Regional Commissioner, Denver\n\n\n\n\n                                   C-3\n\x0c                        Appendix D\n\nState Agency Comments\n\x0cFebruary 24, 2009\n\n\nPatrick P. O\xe2\x80\x99Carroll, Jr.\nInspector General\nSocial Security Administration\nBaltimore, Maryland 21235-0001\n\nAs requested in your letter of February 20, 2009 regarding the audit of the Utah Disability\nDetermination Services, please find below our comments regarding the recommendations in the\nreport. We would like to thank Doug Kelly and Nick Moore for a very comprehensive and fair\nevaluation of the administrative costs claimed by the Utah DDS.\n\nDuplicate Medical Payments\nAll requests for warrant reviews and payment reviews are now handled by a single individual.\nThis person is responsible for making sure that the vendors are listed properly for payment and\nthat if payment is made correctly. It is the usual practice to obtain a copy of the warrant in\nquestion before any new or additional payment is authorized. At this point in time with the\nelectronic system we now use it is a very low probability that duplicate payments are made. The\nswitch to a single person to insure a correct payment process was instituted to address the prior\npossibility of missed and duplicate payments.\n\nExcessive CE Costs.\nSince 1994, the Utah DDS Fee Schedule has been reviewed and approved by the Regional\nOffice. In the future it is planned to primarily use the fee schedule of the Utah State Office of\nRehabilitation for laboratory and x-ray tests, and the Utah Department of Health and Department\nof Workforce Services fee schedule for physical and mental testing as the maximum amount we\nwill pay unless we receive approval through our Regional Office. Whenever possible, DDS will\ncontinue to try to pay under maximum allowed. Two fee schedules are required since the Utah\nState Office of Rehabilitation does not have many of the physical and mental CE\xe2\x80\x99s DDS orders\non their fee schedule.\n\nIncentive Payments\nUtah DDS had a process in place during the audit period that would allow for holiday and\nweekend days for the receipt of records, allowing initial 1-2 day leeway for reports to come in by\nmail for these days. DDS also had a process where multiple people were paying CE payments.\nTo address these potential sources of error, the CE payments are completed by one individual\nwho is primarily responsible for CE payments, one other individual who is a backup, and a\nsupport payment person. After reviewing current policy, it was decided to revise policy to allow\n\n\n\n                                               D-1\n\x0cpayment of the early reporting fees to reports received within 12 calendar days after the\nexamination so there is no question about timeframes.\n\nSanction Listing\nDDS will include the HHS/OIG sanction listing as part of the provider background check\nprocess.\n\nInventory Controls\nThis has been discussed with the parent agency and DDS will include the SSA purchased\ncomputer equipment and be tracked by the parent agency inventory system.\n\nIncomplete Security Plan\nThe Utah DDS Security Plan will be revised to include all of SSA\xe2\x80\x99s security plan requirements\nand specifically address:\n       1. a schedule on how new employees and contractors are trained;\n       2. instructions for the comprehensive integrity review process;\n       3. a description of SSA and UT-DDS responsibilities and a description of workload and\n           workflow of the UT-DDS;\n       4. documented local resources needed to operate the UT-DDS in the event of a disaster;\n       5. documented procedures for its review of the software lists/logs created from\n           monitoring UT-DDS users.\n\nDisaster Recovery Plan Not Tested\nThe Utah DDS Disaster Recovery Plan will be tested according to SSA requirements specifically\nincluding policies to insure the timely testing of the Utah DRP.\n\nKey Management\nThe Utah DDS now has and will maintain a log of all spare office keys and the spare keys will be\nkept in a locked desk drawer. This was facilitated by a move to a new facility in late October\n2008 which has allowed DDS to start from scratch on key management.\n\nBack-up Files\nThe Utah DDS will work with the regional office to either encrypt or password-protect back-up\ntapes for off-site storage or to ensure back-up tapes are adequately protected while on-site at the\nUtah DDS. Since the audit, the Utah DDS has moved to a new facility which has significantly\nincreased the adequacy of on-site storage.\n\n\n\n\nDonald R. Uchida\nExecutive Director\n\npc: Gary Nakao, Director, Utah DDS\n\n\n\n                                                D-2\n\x0c                                                                     Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Mark Bailey, Director, Kansas City Audit Division\n\n   Ron Bussell, Audit Manager, Kansas City Audit Division\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Doug Kelly, Auditor-in-Charge\n\n   Nick Moore, Auditor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Staff Assistant at (410) 965-4518. Refer to Common Identification Number\nA-07-09-19005.\n\x0c                              DISTRIBUTION SCHEDULE\n\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Committee on the Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Oversight and Government Reform\n\n\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security Pensions and\nFamily Policy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c                         Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of an Office of Audit (OA), Office of Investigations\n(OI), Office of the Counsel to the Inspector General (OCIG), Office of External Relations (OER), and Office of\nTechnology and Resource Management (OTRM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, the OIG also has a comprehensive Professional Responsibility and Quality\nAssurance program.\n                                                 Office of Audit\nOA conducts financial and performance audits of the Social Security Administration\xe2\x80\x99s (SSA) programs and\noperations and makes recommendations to ensure program objectives are achieved effectively and efficiently.\nFinancial audits assess whether SSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of\noperations, and cash flow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms and operations. OA also conducts short-term management reviews and program evaluations on issues\nof concern to SSA, Congress, and the general public.\n                                           Office of Investigations\nOI conducts investigations related to fraud, waste, abuse, and mismanagement in SSA programs and operations.\nThis includes wrongdoing by applicants, beneficiaries, contractors, third parties, or SSA employees performing\ntheir official duties. This office serves as liaison to the Department of Justice on all matters relating to the\ninvestigation of SSA programs and personnel. OI also conducts joint investigations with other Federal, State,\nand local law enforcement agencies.\n                            Office of the Counsel to the Inspector General\nOCIG provides independent legal advice and counsel to the IG on various matters, including statutes,\nregulations, legislation, and policy directives. OCIG also advises the IG on investigative procedures and\ntechniques, as well as on legal implications and conclusions to be drawn from audit and investigative material.\nAlso, OCCIG administers the Civil Monetary Penalty program.\n                                        Office of External Relations\nOER manages OIG\xe2\x80\x99s external and public affairs programs, and serves as the principal advisor on news releases\nand in providing information to the various news reporting services. OER develops OIG\xe2\x80\x99s media and public\ninformation policies, directs OIG\xe2\x80\x99s external and public affairs programs, and serves as the primary contact for\nthose seeking information about OIG. OER prepares OIG publications, speeches, and presentations to internal\nand external organizations, and responds to Congressional correspondence.\n                          Office of Technology and Resource Management\nOTRM supports OIG by providing information management and systems security. OTRM also coordinates\nOIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human resources. In addition, OTRM is the\nfocal point for OIG\xe2\x80\x99s strategic planning function, and the development and monitoring of performance\nmeasures. In addition, OTRM receives and assigns for action allegations of criminal and administrative\nviolations of Social Security laws, identifies fugitives receiving benefit payments from SSA, and provides\ntechnological assistance to investigations.\n\x0c'